1
ERASMUS UNIVERSITY ROTTERDAM Erasmus School of Economics
Bachelor Thesis Bachelor of Economics and Business Economics
The effects of data breaches on the stock price in the period 2016-2018
Name Student: Ralph Schuurman Student ID Number: 434988
Supervisor: Dr. R. Cox Second Assessor: Dr. J. Kil
Date Final Version: July 23, 2019
The views stated in this thesis are those of the author and not necessarily those of Erasmus School of Economics or Erasmus University Rotterdam.
1 2
Abstract
Event study methodology was used to study the effect of data breaches on the stock price in the period 2016-2018 for 123 firms noted on the United States stock market. In contrast to most previous works in earlier periods, no significant results were found indicating an effect in this period. This is in line with a declining trend found before when researching data breach effects. The effect of the size of a data breach on the reaction on the stock price was also studied. The size of the data breach did not have a significant effect on the stock price reaction.
2 3
Table of Contents
ABSTRACT ...... 2
INTRODUCTION ...... 4
RESEARCH QUESTION ...... 5
THEORETICAL FRAMEWORK ...... 7
DATA BREACH RESEARCH ...... 7
DOWNWARD SHIFT IN THE LATER YEARS ...... 8
CONSEQUENCES OF A DATA BREACH ...... 9
SIZE OF THE DATA BREACH ...... 10
DATA ...... 11
METHODOLOGY ...... 14
EFFICIENT MARKET HYPOTHESIS ...... 14
EVENT STUDY METHODOLOGY ...... 14
THE MODEL ...... 15
EVENT WINDOW ...... 16
ESTIMATION WINDOW ...... 17
CROSS-SECTION ANALYSIS ...... 18
RESULTS ...... 21
CONCLUSION AND DISCUSSION ...... 24
REFERENCES ...... 25
APPENDIX ...... 28
3 4
Introduction The amount of data breaches has seen a rise in the past years. In 2005, there were 136 data breaches in the United States, as reported by the Privacy Rights Clearinghouse. In 2017 there were 765 breaches. Not only the amount of data breaches has increased, also the amount of records in these breaches have seen a rise. In 2005 the average amount of records breaches per data breach was 405 thousand records. In 2017, this was 2.6 million. The industry type has also changed through the years, since 2009 the medical sector is the leading sector in the amount of data breaches, even though not in records breached (Privacy Rights Clearinghouse, 2019). Governments and supranational entities have also recognized this trend in data breaches. The European Union has introduced the General Data Protection Regulation (GDPR) to decrease the amount of data breaches and protect the privacy of its citizens. One of the main requirements in the GDPR is the data breach notification obligation. In case of a personal data breach, the controller (including companies) should report the data breach within 72 hours to the competent supervisory authority (GDPR, 2019). Compared to the European Union, the United States has been lacking in terms of data regulation on the federal level. Most regulation on data breaches has been made in state laws. In contrast to the GDPR, no data breach notification obligation exists on the federal level and regulation therefore differs per state. All 50 states at the time of writing have a data breach notification law, with South Dakota and Alabama only passing this law in 2018. One of the biggest data breaches in the United States was the breach of Equifax. Personal information of 143 million Americans was accessed during this breach, including names, Social Security numbers and sometimes credit cards (Federal Trade Commission, 2017). Recently it was announced that Equifax has to pay around $700 million dollars as a consequence of this breach (Wall Street Journal, 2019). When a company is noted on a stock exchange, a breach could have a possible effect on the stock price, as a data breach is an unannounced unexpected cost. After Facebook profiles were harvested in 2018 by Cambridge Analytica, Facebook shares fell more than 24 percent in the week after the announcement the data breach occurred. The corresponding market value loss was roughly 134 billion dollars (CBS News, 2018). Even still, within two months after this decline Facebook recorded a record high share price, more than 12% above the share price before the drop.
4 5
Equifax recorded a similar drop after the announcement of their data breach. The share price of Equifax dropped 33% after the announcement (Forbes, 2017). Now, almost two years later, the stock price of Equifax has not been higher than just before the announcement. Other reasons should be considered when comparing stock prices over a longer period, still it cannot be disregarded that the data breach announcement could have had some impact on the share price. This thesis will examine the effect of a data breach on the stock price in the years 2016 until 2018. These breaches include personal information such as social security numbers, addresses, names, passwords and sometimes credit card information and/or medical information. Data breaches and their effect on stock prices have been studied previously. Most of these studies have found that a data breach announcement has a negative effect on the stock price. These previous studies have not included events from 2014 onwards. In this paper, the more recent years will be studied to find out if recent privacy laws and a bigger amount of total breaches may have had an influence on the effect. Previously it was found that even though data breaches had a negative reaction on the stock price, there was a decline in reaction in the later periods. It was also found that stocks from companies that had experienced a data breach before do not experience a negative reaction when a new data breach is announced. This thesis will study a later period than the research before and most companies studied have mostly already experienced data breaches before. This is why this thesis can add value to the existing literature; following this declining trend, the reaction on the stock price to data breaches may have further declined or is possibly nonexistent in the period 2016 – 2018.
Research question The research question is stated as: What is the effect of the announcement of a data breach on the stock price of the concerning company in the years 2016 until 2018?
This research will focus on companies listed on the United States stock market exclusively. Previous works have also been almost exclusively focused on companies located in the United States. In contrast to existing literature, the effect of the size of the data breach in terms of records breached was also be studied.
5 6
In this study, no significant reaction was found on the stock price after the announcement of a data breach in the studied period for multiple event windows. The significance was tested using both a parametric and a non-parametric test. This is not in line with most previous research but does conform a trend that the reaction on data breaches has experienced a downward shift. Also in contrast to what was expected, the amount of records breached also had no significant effect on the data breach announcement reaction.
6 7
Theoretical framework
Data breach research Data breaches and their effect on stock prices have been a topic of research for over more than a decade. Garg, Curtis & Halper (2003) found a significant negative reaction in the period 1999-2002 and estimated the average cost of a breach at $17-$28 million. The studies before found average costs ranging from 50 thousand dollars to 2 million dollars. Another study during that time also showed that breaches in digital security have a negative effect on stock prices (Cavusoglu, Mishra, & Raghunathan, 2004). This paper did consider all types of security events, including events where no personal data was affected as for example DOS attacks. The period 1995 till 2001 was used, where it was concluded that compromised firms had a negative abnormal return of approximately 2.1%. This findings that data breach announcements had a negative impact on the stock price was also found in the years after. Acquisti, Friendman and Telang (2006) studied the period 2000-2005 and found a negative reaction of -.58%. One study concluded that a data breach has a negative and statistically significant effect of -.84% in the period 2004 till 2006 on shareholder wealth, and more interesting the negative market reaction to a data breach was more significant in the more recent time periods (Gatzlaff & McCollough, 2010). Gordon, Loeb & Zhou (2011) found in the period 1995-2007 a negative reaction of - .0091% but also concluded that the period 2002-2007 was insignificant. Pirounias, Mermigas & Patsakis (2014) had trouble finding statistical significant results in the period 2008-2011 but still concluded that a data breach announcement had a negative impact on the stock price. Rosati et al. (2018) is the most recent study till date. A statistical significant negative reaction was found for the period 2011-2014. This research was different than other research because it only used companies that actively use Twitter, which could maybe impact the validity of the results for companies without an (active) Twitter account. Of 45 studies found on the impact of information security events on the stock market the majority (75.4%) reported a statistical significant impact of the event on the stock price (Spanos & Angelis, 2016). The type of breach could also influence the market reaction, as it affects the cost of the breach. In one study only when the data breach involved unauthorized access to confidential data a significant negative market reaction was found (Campbell et al. 2003). One could argue that if an information security breach has a negative effect on the stock price, the opposite should also be true. An investment to improve information security
7 8 should have a positive effect on the stock price. Substantial support for this was found. The announcement of security investments lead to positive abnormal returns in the United States stock market between 1997 and 2006 (Chai, Kim & Rao, 2011).
Downward shift in the later years As stated in the introduction, the amount of data breaches has risen and the amount of records breached has also seen an impressive growth, this could mean that investors could react differently than earlier. When data breaches in the period 1995 till 2007 were examined, it was found that even though the data breaches had a significant negative effect on the stock price, a downward shift had occurred in the later period (Gordon, Loeb & Zhou, 2011). This means that the effect of a data breach was, in contrast to Gatzlaff & McCollough (2010), less prominent in the later years. To explain this phenomenon, two reasons were given. The first is more effective remediation and disaster recovery used by firms because of the increase in breaches. The second is that the tendency from customers to refrain from doing business with firms experiencing data breaches has decreased. This results that investors would see security breaches as “nuisance” instead of a potentially economic threat, meaning that they have become more insensitive to breaches. A real life consequence of this could be that corporate executives are less inclined to increase digital security. This situation could be described as a principal-agent problem. The company that needs to protect the data from others has no incentive to do so. The ones whose data were breached are the only ones experiencing negative effects. The implication would be that privacy in itself will be less valued. The theory that investors are less sensitive to data breaches in later periods was also found by Pirounias, Mermigas & Patsakis (2014). They found for the period 1995-2004 an abnormal return of -2.1% and for the period 2002-2007 an abnormal return of -0.34%, but this value was not significant . Repeated data breaches at the same company were also studied before, using events transpired between 2005 and 2013. The findings were that firstly there was a negative reaction on the stock price corresponding the first breach, but there was weak statistical evidence that the market reacts differently to a second breach of the same organization (Schatz & Bashroush , 2016), implying that second breaches have less impact than first breaches. This also is in line with the theory that investors consider data breaches as less of a problem in more recent times periods, also described by Gordon, Loeb & Zhou (2011) and Pirounias, Mermigas & Patsakis (2014). In other words, because breaches have happened
8 9 before at the same company and more breaches in general are taking place every year, the shock effect of a data breach has decreased. The question does rise if the effect of data breaches on stock prices does matter in the long term for firms. Some research has indicated that, in junction with previous research, indeed security breaches do have a negative and significant impact on data breaches on the market value over day but then decreases and loses statistical significance (Acquisti, Friendman and Telang, 2006). This should also be taken into account when interpreting the results. As most of the previous research indicates that a data breach will have a (negative) effect on the stock price, the first hypothesis is formulated as follows:
The announcement of a data breach has a significant effect on the stock price in the period 2016 – 2018.
Consequences of a data breach To understand why data breaches can possibly influence the stock price, the consequences of a breach should also be looked at. The most widely source used for the costs of data breaches is the yearly report by the Ponemon Institute. This report specifies the cost of data breaches by conducting interviews with breached companies. In the United States the average cost per breach in 2018 amounts to 7.91 million dollars, with an average of 233 dollars per breached record. The biggest cost when experiencing a data breach is the lost business cost, for a big part customer turnover. The churn rate differs greatly per industry, the Health and Financial industry are at the top with both above 6% churn rate, whilst retail is at the bottom with 2.1%. Organizations in the United States pay most for losing customers, almost two times as much as the number two, Mexico. Using these figures and if available the amount of records lost, in this paper it will examined if the loss in stock price when experiencing a data breach is in proportion with the expected loss. This is also a test for the efficient market hypothesis. The efficient market hypotheses implies that the loss in market cap value is equal to the expected financial loss. If the cost of a breach does not equal the decline in market value, the efficient market hypothesis does not hold. There has not been research done that compares these two values. By comparing the figures from the Ponemon institute with the breaches, it is possible to estimate if the possible losses on the market capitalization due to data breaches are justified.
9 10
Size of the data breach Data breaches happen in different sizes. Some breaches will only affect records of a handful of parties. Other breaches can affect records of hundreds of millions or even billions of different parties. The amount of record breaches will have an effect on the companies’ future financials, as more records breached also means bigger lawsuits and less confidence from consumers and other businesses that their records are safe with the breached company. The size of the company does have an effect on the market reaction (Gatzlaff & McCullough, 2010) but there has not been a paper before that tests the effect of the breach size itself. A previous study has indicated that the knowledge of the number of records breached does not have a significant effect (Rosati et al. 2018). To test if the size of the data breach has an effect on the market reaction, a second hypothesis has been formulated to test if bigger data breaches equal a higher cost. The second hypothesis is:
The size of the breach measured in records breached has a negative significant relation with the effect on the share price.
10 11
Data The sample of data breaches was collected using the list of data breaches maintained by the Privacy Rights Clearinghouse in the period 2016 till 2018. This list is not an exhaustive list of all data breaches ever occurred in the United States. The disclosure of data breach is regulated on the state level, most state laws follow the state law of California as this was the first state to pass these regulations. The state law of California requires businesses to disclose any breach of security to any Californian residents whose unencrypted personal data was, or could have been, acquired by an unauthorized person. Because this is a state law, only corporations with a physical location in California are subject to this law. A New York corporation with no location in California is not subject to this law, even though the subjects of the data breach could very well be Californian residents. This means that until the other states implemented a comparable law, not all data breaches were reported and therefore not all breaches could have been added to the Privacy Rights Clearinghouse database. The list also almost exclusively includes companies in the United States. Previous research has also used the database from the Privacy Rights Clearinghouse, although none have used the breaches later than 2014 (Gatzlaff & McCollough, 2010, Schatz & Bashroush, 2016; Rosati et al., 2018). In 2016, there were 768 breaches reported, in 2017 681 and in 2018 414 breaches for a total of 1863 breaches. As this research focuses on the effect of a data breach on the stock price, only breaches of companies that were public at the time of the breach were included in the sample. This leads to 137 data breach events in the period. To better measure the effect of the data breach on the stock price, events taken place on days where the stock market was closed were excluded. One event was excluded because no trades concerning the stock were done on the date of the event and the days after. This was also the only stock noted on an illiquid exchange. The total amount of events is therefore 123 events. As recommended by others the firm names and event dates are in the appendix in Table 1A (McWilliams & Siegel, 1997; De Jong & Naumovska (2015). Under the classification ‘data breach’ the same definition will be used as the Privacy Right Clearinghouse uses, also used in Rosati et al. (2018). “A data breach is when a company inadvertently leaks your personal information as a result of a hack attack, lost or stolen computers, fraud, insider theft, and more” (Privacy Rights Clearinghouse, 2011).
11 12
Of the 123 data breach events, 48 had an unknown number of records breached. Of the breaches where the amount of records breached were known, the average amount of record breaches was 56,095,195 records, the median was 3674 records. This big difference is explainable because of outliers in the amount of records breached. Interesting to note is that the two biggest data breaches were from the same company, Yahoo. On 22 September 2016 Yahoo had a breach of 500 million records and on 14 December 2016 Yahoo had a data breach of 3 billion records. According to the used database, 83 of the 123 data breach events were data breaches at companies that have experienced a breach before the event period. The Privacy Rights Clearinghouse sorts the type of organization using eight classifications: Business-Financial and Insurance Services (BSF), Businesses – Other (BSO), Business-Retail/Merchant Including Online Retail (BSR), Educational Institutions (EDU), Government & Military (GOV), Healthcare, Medical Providers & Medical Insurance Services (MED), Nonprofits (NGO) and Unknown (UNKN). As Governments and Nonprofits are not publicly traded, these do no not appear in the sample.
The distribution for the different classifications is described by Table 1.
Table 1. Overview of breaches. The table reports summary statistics for 132 data breaches between 2016 and 2018. Mean, number of records breached, minimum and maximum are included. The data and classification is retrieved from the Privacy Rights Clearinghouse. N # records Average records Median breached breached records known breached
Business-Financial and Insurance 21 11 7,048,565 1253 Services
Businesses – Other 44 13 83,036,009 431,000
Business-Retail/Merchant Including 15 12 26,980,203 1292 Online Retial
Healthcare, Medical Providers & 43 39 19,357 2426 Medical Insurance Services
Total 123 75 56,095,195 3674
Both the average amount and the median amount of records breached is the highest in the Business – Other category. This is explainable because social networks and websites such as Facebook and Twitter experience the biggest data breaches and are included in this category. One thing that should be considered about the amount of record breached is that in the sample this is often the possible amount of record breached, not per se the true amount of records
12 13 breached. When it is unknown how many records were breached but known how many possible records could be breached, the Privacy Rights Clearinghouse counts the amount of possible records breached. A bug in a website that could expose data of 100 million customers is counted as 100 million records breached. This does not mean that these 100 million records were actually accessed by unauthorized parties.
13 14
Methodology
Efficient market hypothesis To examine the effect of a data breach, event study methodology based on the efficient market hypothesis (EMH) will be adopted. Coined by Fama in 1970, the efficient market hypothesis is described as a hypothesis that states that in an efficient market all available information is reflected in the prices (Fama & Malkiel, 1970). Three forms of market efficiency were discussed in this paper: the weak form, the semi-strong form and the strong form. In a later paper, Fama revised the definitions (in the same sequence) to predictability, event studies and test for private information (Fama, 1991). In the weak form (predictability) past price information is priced in the stock and thus can’t be used to predict the future of the stock. This means that future securities’ prices are a random walk. In the semi-strong form (event studies) prices reflect all public information, including public information about the future. This implies that it is only possible to earn abnormal returns by using non-public information. In the strong form (test for private information) all information, public and private, is incorporated in the market prices. This implies that insider trading cannot be used to earn abnormal returns. If the strong form of the EMH prevails, making information such as data breaches public will have no effect on the stock price. If the semi-strong form of EMH prevails, the new information of the data breach will be immediately reflected in the stock price of the corresponding company. If the weak form of the EMH prevails, the announcement of a data breach will be incorporated in the stock price although not immediately. Event studies are often used to test the semi-strong form and generally do support the semi-strong form. As this thesis will perform an event study, the semi-strong form of the EMH will be tested. If the semi-strong EMH hypothesis holds, the reaction on the event from investors on the stock price should reflect the actual costs incurred because of the data breach.
Event study methodology Event studies have been used a long time to measure the impact of a specific event on a firms value. Applications of the event study have been among others announcements of mergers and acquisitions, change in regulatory measure and legal liability cases. Since its introduction, event study methodology has become the standard method of measuring the reaction of a security price to an event (Binder, 1998). The reasoning behind an event study is that because of rationality in the market, the effects of an event will be immediately reflected in security
14 15 prices (MacKinlay, 1997). In research where the effect of data breaches on firms and their stock prices are studied, event studies are used almost exclusively. This is also partly done because firms often do not disclose the actual cost of a data breach. To perform the event study, multiple steps will be followed, as described by Campbell et al. (1997) and McWilliams & Siegel (1997). The event and event window will be defined and the relevant firms will be selected (as described in the Data section). Then a model to estimate the normal and abnormal returns will be chosen. Using this model, the cumulative abnormal returns will be estimated and tested.
The model The model used to estimate normal and abnormal returns will be the Market Model. When comparing the Mean-Adjusted Returns Model, the Market-Adjusted Returns Model and the Market Model, there is a slight preference for the Market Model (Dyckman et al. 1984). Most other literature regarding event studies on data breaches uses the market model (including Gatzlaff & McCollough, 2009 and Rosati et al. 2018).
This model is specified as:
� , = � + � � , + � , Where
Ri,t is the return on security i in period t
αi is a measure of risk-adjusted performance
βi is a measure of systematic risk
Rm,t is the return on market portfolio in period t
εi,t is the disturbance term for security I in period t
The abnormal return (AR) is represented by εi,t as this is the difference between the actual return and the expected return based on the estimation. This can also be written as the following formula:
�� , = � , − (� + � � , )
15 16
These abnormal returns will then be summed for the event period to obtain the cumulative abnormal returns (CAR).